Thunderbird and OpenPGP - Why not GnuPG by default?

Kai Engert kaie at kuix.de
Tue Dec 3 19:35:01 UTC 2019


Why did we decide to not use GnuPG as the default engine for OpenPGP
messaging in TB 78?

Our Wiki [1] article already touched that topic, and mentioned the
licensing issue as a primary argument.

Note that I'm not a lawyer, and the following statements will be based
on my personal interpretation, which may be wrong.

Our intention is to provide a solution that can work out of the box, in
which downloading Thunderbird can be sufficient, and doesn't require the
user to perform any separate software installation.

If we used GnuPG, we'd be required to distribute the respective version
of GnuPG as part of Thunderbird on all platforms that we support.

Because the GnuPG software is GPL, only, and because we'd like to
distribute Thunderbird under the MPL license terms, we'd have to be very
careful to avoid violating the GPL license. In my understanding, we'd be
required to ensure that GnuPG remains a fully separate program from
Thunderbird (and there might be additional requirements).

These requirements introduce complexity. When we talked with Patrick
Brunschwig about this topic, he advised that based on his experience as
the maintainer and developer of Enigmail, the interaction with the
external GnuPG software was a constant source for support requests.
Frequently, Enigmail didn't behave as intended, and often it was found
that the cause of the issue was a nonworking interaction with the
separate GnuPG software.

If Thunderbird decided to distribute GnuPG software, the situation might
get even more complicated. If users already have a copy of GnuPG
installed on their system, we'd have to be careful to avoid any
potential conflicts that might occur by having two competing copies of
GnuPG installed on a computer.

Also, we'd have to worry about potentially sharing the key store with
other applications, other versions of GnuPG, and maybe even incompatible
configuration?

We'd like to avoid that complexity for the majority of Thunderbird
users, and in addition to the complex license situation, that's an
additional motivation to identify a suitable alternative engine for
processing OpenPGP messages and keys by default.

We aren't completely ruling out that Thunderbird might ever support the
ability to use GnuPG. In particular, there'll soon be another post on
the topic of using OpenPGP smartcards, which will present an idea that
involves the use of GnuPG.

Kai


[1] https://wiki.mozilla.org/Thunderbird:OpenPGP:2020



More information about the tb-planning mailing list